Posted On: Jul 19, 2023

With Amazon S3 Inventory, you can now easily review your access control lists (ACLs) on all of your objects to simplify review of access permissions. ACLs were the original way to manage object access when S3 launched in 2006. Now, when migrating to IAM-based bucket policies for access control, you can easily review all of the object ACLs in your buckets before enabling S3 Object Ownership.

S3 Inventory provides a complete list of objects in a bucket and corresponding metadata. The new Object ACLs fields include an Owner element that identifies the object owner, and a Grant element that identifies the grantee and the permission granted. You can activate reporting on object ACLs by navigating to your existing S3 Inventory configuration in the Amazon Web Services Management Console or via API.

By enabling S3 Object Ownership, you can change how S3 performs access control for a bucket so that only IAM policies are used. S3 Object Ownership's ‘Bucket owner enforced’ setting disables ACLs for your bucket and the objects in it, and updates every object so that each object is owned by the bucket owner. We recommend that you carefully review your use of ACLs with inventory reports, migrate to IAM-based bucket policies, and then disable ACLs with S3 Object Ownership.

Amazon S3 Inventory support for Object ACL is now available at no additional charge in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about S3 Inventory, please visit Amazon S3 Inventory and Amazon S3 pricing.